The following sections describe the steps you must perform
to create a certificate chain. Before you create the chain, you
must have the following certificates:
Creating an Intermediate
CA (RA) Certificate With the Certificate Tool, you can generate an X509 certificate
for an intermediate CA or RA (Registration Authority). Perform the
following steps to generate an X509 certificate.
Create
a certificate signing request. (Select item 3 in the Certificate
Tool Main Menu.)
Sign the certificate signing request with the root
CA certificate. (Select item 6 in the Certificate Tool Main Menu.)
To create an intermediate CA, you must encrypt the private
key when you create the certificate signing request (with PEM passphrase).
Creating a Client/Server
Certificate Signed with an Intermediate CA Certificate After you create an intermediate CA certificate (described
in the previous section), create a client/server certificate as
follows:
Create a certificate signing
request. (Select menu item 3 in the Certificate Tool Main Menu.)
Sign the certificate signing request with the intermediate
CA certificate. (Select menu item 6 in the Certificate Tool Main
Menu.)
Encrypting the private key
is not required for creating a client/server certificate. However,
if the key is encrypted, you can also use the certificate as an
intermedicate CA certificate with which another certificate will
be signed.
Creating a Certificate
Chain File Some OpenSSL APIs require a certificate chain file. This file
contains certificates that form the certificate chain (from the
client/server certificate to the root CA certificate).
To create a certificate chain file, append the certificates
of intermediate CA(s) and the root CA to the client/server certificate.
The order in the file can be expressed as follows:
HP Open Source Security for OpenVMS Volume 2:... 
Using the Certificate Tool
